Dane testing and posttls-finger ???

[John Allen]

>      1. MTAs should run their own caching resolvers, even if they forward
>         to another caching resolver upstream (e.g. 8.8.8.8).
I used to run a local caching server, but ran into a problem when I 
first started using DNSSEC. To make life a little easier while sorting 
out the DNSSEC problems I got rid of it.
reinstated as of today.
using posttls-finger now produces expected results.
>      2. If you are doing any RBL lookups, you must not make them via an
>         upstream forwarder (avoid looking up RBLs via 8.8.8.8 and friends).
A little thought and this is obvious.
>      3. If you want any security from DANE when sending outbound
>         email to remote domains, you MUST use a local 127.0.0.1
>         resolver that validates DNSSEC record signatures for itself.
done, but why?
>         If you're not using 'smtp_tls_security_level = dane', then
>         the local resolver is not essential for security, but is still
>         a good idea.
>